RISK MANAGEMENT POLICY - Kaikoura · risk. (AS/NZS ISO 31000:2009) Risk management framework: set of components that provide the foundations and arrangements for designing, implementing,

RISK MANAGEMENT POLICY

Risk Management Policy final - approved by Council February

2019.docx i

DOCUMENT MANAGEMENT

Purpose

To provide basic information about the document, outline the procedure for amendments, and describe the amendment history.

Document information

The following table provides basic information about the document.

Document name Kaikōura District Council – Risk Management Policy

Version V1 - Final

Release date 27 February 2019

Document reference

R:\1 Civic\1.4 Council Policies\1.4.27 Risk Management Policy final – approved by Council February 2019.docx

Prepared by Paul Numan

Document owners Finance and Commercial Manager

Review Date February 2021

Approval

This Strategy has been reviewed and approved by accountable officers in the table below:

Name & Title Date of Approval

Leadership Team 8 January 2019

Endorsement

This Strategy has been endorsed by the following:

Name & Title Date of Approval

Finance Audit and Risk Committee 29 January 2019

Council 27 February 2019


2019.docx ii

CONTENTS

DOCUMENT MANAGEMENT ........................................................................................................ i

CONTENTS .................................................................................................................................. ii

Purpose and scope .............................................................................................................. 3

Risk - a simple definition ...................................................................................................... 3

Principles of Risk Management ............................................................................................ 3

Mandate and commitment .................................................................................................. 3

Responsibilities .................................................................................................................... 4

Design and Implementation of a Risk Management Framework .......................................... 5

6.1. Risk Register ................................................................................................................................ 5

6.2. Accountability for managing risks ............................................................................................... 5

6.3. Risk Management Process .......................................................................................................... 5

Review and Improvement of the risk management system ................................................. 6

Definitions ........................................................................................................................... 6

Appendix A: Risk Management process description............................................................. 7

9.1. Establishing the context .............................................................................................................. 7

9.2. Risk identification ........................................................................................................................ 7

9.3. Risk analysis ................................................................................................................................ 7

9.4. Risk evaluation ............................................................................................................................ 8

9.5. Risk treatment ............................................................................................................................. 8

9.6. Monitoring and review ............................................................................................................... 9

9.7. Communication and consultation ............................................................................................... 9

Appendix B: Risk Assessment Process ............................................................................ 10

10.1. Likelihood .................................................................................................................................. 10

10.2. Impact ....................................................................................................................................... 10

10.3. Control Effectiveness ................................................................................................................ 11

10.4. Risk Matrix ................................................................................................................................ 11

10.5. Risk Level ................................................................................................................................... 11


2019.docx 3

Purpose and scope

The purpose of this policy is to provide Kaikoura District Council (KDC) with a risk management framework in order to effectively and efficiently manage risks inherent to the Council’s operations that can affect the achievement of its’ goals and objectives. KDC will do this by:

Ensuring risk-based information is available to support good decision-making

Providing assurance that risks are being appropriately addressed and managed, and

Ensuring compliance with applicable legislation and regulation. The Risk Management Policy describes the KDC’s approach to risk management, defines the roles and responsibilities, outlines the key aspects of the risk management process, and provides methods to revise and continually improve the way the organisation manages risk. By managing risk, KDC seeks to improve organisational performance and provides the tools necessary to ensure the accomplishment of its objectives.

Risk - a simple definition

For the purpose of this policy the following definition of risk will be used. Risk – the failure to meet and objective or achieve an outcome. Further definitions are provide at the end of this policy.

Principles of Risk Management

Kaikoura District Council’s approach to risk management is based on the International Standard AS/NZS ISO 31000:2009. As such, risk management is governed by the following set of principles:

Risk management creates and protects value, and contributes to the achievement of the objectives and the improvement of performance.

Risk management is an integral part of all organisational processes and is part of the responsibilities of Management at all levels.

Risk management helps to make informed decisions, prioritise actions and distinguish among alternative courses of action.

Risk management addresses uncertainty by using the best available information in a systematic, structured and timely manner.

Risk management is aligned with the internal and external context of the Organisation and takes human and cultural factors into account.

Risk management is transparent and involves stakeholders and decision makers at all levels of the Organisation.

Risk management is a continuous practice that continually senses and responds to change.

Mandate and commitment

Kaikoura District Council is exposed to many risks that may impact on the achievement of its objectives, the level and quality of the services it provides, its image and reputation, or compromise its ability to comply with regulatory and legal obligations. The Council and Leadership Team understand that a proper and systematic identification, assessment and treatment of risks contribute to making good decisions and to the achievement of


2019.docx 4

the objectives of the KDC. Risk is inherent to all areas and activities in the Organisation; therefore risk management is the responsibility of all its members and is part of everyday operations. The Council and Leadership Team are committed to:

providing the Organisation with the structure, tools and resources to manage risk properly;

ensuring that the risk management framework remains appropriate for the Organisation’s culture, objectives and strategies and is applicable to all areas; and

making decisions based on an understanding of the risks involved.

Responsibilities

Position Responsibilities

Council Ensure that a risk management framework is in place and that there are appropriate resources to manage risks effectively.

Approve and amend the Risk Management Policy.

Actively monitor risk

Make decisions using information about risks.

Finance, Audit and Risk Committee

Review the effectiveness and appropriateness of the risk management framework.

Provide feedback on the Risk Management Policy to the Leadership Team.

Ensure that the Organisation has internal control systems in place.

Advise the Council on matters of risk.

Chief Executive


Oversight of the risk management process, and lead and promote good risk management practice across the Organisation.

Manage high-level Corporate Risk and treatment plans, and ensure that status or more importantly, any change in status is reported to the Finance, Audit and Risk Committee.

Leadership Team


Implement the risk management framework, processes and internal controls across their area of the Organisation.

Lead and promote risk management culture within their areas.

Integrate risk management processes with council policies, processes & practices.

Monitor, review and report on relevant Risk assessment and treatment plans.

Staff and Contractors

Be aware of risk management and follow associated policies, processes and guidelines.

Everyday identification & management of risks and treatment plans.


2019.docx 5

Design and Implementation of a Risk Management Framework

6.1. Risk Register

All identified risks will be registered in Risk Register according to the Council Manager responsible for the risk. The register is accessible to all staff and contains all relevant information about the identification, analysis, evaluation and treatment of each risk as well as the assigned responsibilities and accountabilities. The Register is a tool used to monitor the evolution of risks and their associated treatment, and keep track of the decisions made.

6.2. Accountability for managing risks

Each risk will have a designated risk owner who will be responsible for understanding, analysing, evaluating and monitoring the evolution of the risk, as well as ensuring controls and mitigation actions are in place and remain effective.

Action plans are the overall responsibility of the designated owner who is responsible for evaluating, designing and executing the action plan effectively and in a timely manner as well as reporting its evolution.

6.3. Risk Management Process

Risk management is a continual process and is conducted across all relevant levels and functions as an integral part of managing the Organisation. The key steps of the process are: Establishing the context for managing risk: involves defining scope and criteria; identifying the activities, processes and objectives; identifying stakeholders; understanding the internal and external environment. Risk identification: involves identifying sources of risk and areas of impact; understanding and describing risk events, their causes and potential Impact; and determining risk ownership. Risk analysis: involves determining inherent level of risk through rating likelihood and consequence; assessing effectiveness of existing controls; and determining residual risk level. Risk evaluation: involves comparing risks against criteria; determining courses of action; and prioritising treatment and resources. Risk treatment: involves identifying, assessing and selecting treatment options; preparing and implementing treatment plans; and determining ownership of the treatment. Monitoring and review: relates to the periodical review of the risk management process by identifying emerging risks; detecting changes in context and risk analysis; reviewing decisions; and ensuring that controls are effective. Communication and consultation: relates to consulting with stakeholders and experts at each step of the process and communicating status of risks to the Organisation and relevant stakeholders.

Appendix A provides further information and description about the steps of the risk management process


2019.docx 6

Review and Improvement of the risk management system

Periodically, the risk management framework (including the risk management process) will be reviewed by the Leadership Team, the Finance, Audit and Risk Committee and Council to assess its effectiveness, ensure that it remains updated and appropriate for the context of the Organisation, and determine whether adjustments in policies, plans, staff training or other factors are needed.

Definitions

Risk: the effect of uncertainty on objectives (AS/NZS ISO 31000:2009). It can be understood as any deviation (positive or negative) from the objectives caused by lack of understanding, knowledge or information about a potential event. Risk is often described by reference to potential events and Impact. Risk management: coordinated activities to direct and control an organisation with regard to risk. (AS/NZS ISO 31000:2009) Risk management framework: set of components that provide the foundations and arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the Organisation. Risk management process: systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk. Refer Appendix A Risk assessment: overall process of risk identification, analysis and evaluation. Refer Appendix B Risk treatment: the process to modify a risk, usually by changing the likelihood and/or the Impact, or removing the risk source. Control: any process, policy, device, practice or other action that modifies the likelihood or the potential consequence of a risk event before the risk event occurs. Mitigation: any process, policy, device, practice or other action that modifies the consequence of a risk event after the risk event occurs.


2019.docx 7

Appendix A: Risk Management process description

9.1. Establishing the context

The first step for managing risks is to establish and understand the context in which Council operates. The general, organisation-wide context in which the Council operates should be taken into account when analysing Risks. A more specific examination of the context relevant to each activity, service or project will provide a more accurate identification, analysis, evaluation and treatment of risks associated with them.

Establishing the context involves the following tasks:

Identifying key goals and objectives

Defining the scope and criteria of the risk management process

Identifying internal and external stakeholders

Defining the level at which a risk becomes acceptable or tolerable

Understanding the external environment (for example regulatory, political, financial or legal requirements and factors, external trends having an impact on objectives)

Understanding the internal environment (for example resources available, organisational structure, other policies, processes and strategies, or the organisational culture)

Setting the context is the responsibility of the leadership team and it should be carried out by key staff involved in each activity. However, consultation with experts or external advice may be necessary to gain a better understanding and definition of the context.

9.2. Risk identification

Once the context is defined and understood, the next step is to generate a comprehensive list of risks based on events that might compromise the achievement of the objectives. Identification is about identifying and describing sources of risk, areas of impact, failures, events (including situations not happening), and their causes and potential Impact.

Usually risk events have several causes and a wide range of Impact (including cascade or cumulative effects), therefore, during this step it is necessary to consider and describe all relevant causes of the event and scenarios that show which Impact may occur. Identification should include risks whether or not their source is under control of KDC, even though the risk source or cause may not be evident.

All staff members are empowered and expected to identify risks however ensuring proper understanding and description of risks is the responsibility of the risk owner.

Each risk will be assigned a risk owner who will be accountable for managing and monitoring that risk.

9.3. Risk analysis

Risk analysis is the process by which the nature of risk is understood and its levels of significance are assessed. The inherent level of a risk (gross risk level) is determined by the likelihood of a risk event happening and the severity of Impact it has on every aspect of the Organisation. This level can change when there are changes in the context but is not modified by the actions Council takes. Once the inherent level of a risk is determined, a further analysis of likelihood and


2019.docx 8

consequence considering existing controls and their effectiveness is necessary to determine the residual or net risk level. Residual risk is the risk Council faces when taking into account the control and mitigation actions currently in place.

The analysis of likelihood and impact as well as the effectiveness of actions in place should be based on as much real data as possible, thus, research for information and historical data, and consultation with experts is important.

The scale of potential Impact if a risk event occurs (shown in Appendix B) is described in different categories. The scale of likelihood (shown in Appendix B) identifies how likely or how often a particular event is expected to occur. These categories and descriptors act as a guide to assist in ranking the severity of impacts at a corporate, organisation-wide level. The final step is determining the levels of each risk by multiplying their likelihood and impact factors from both inherent and residual analysis.

The analysis of Risks will be undertaken in a manner consistent with the reference tables.

9.4. Risk evaluation

The purpose of risk evaluation is to make decisions concerning which risks are tolerable and which need treatment, and also to set treatment priorities.

Having established the comparative risk levels applicable to individual risks, it is possible to rank those risks by representing them in a risk assessment matrix. This matrix, (in Appendix B), is a tool that enables the differentiation between risks that are significant and those that are of lesser significance, the selection of a course of action for each risk, and the prioritisation of treatment and resources.

The evaluation of risk is the responsibility of risk owners and subject to regular review by the Leadership Team, Finance, Audit and Risk and Council.

9.5. Risk treatment

Risk treatment involves identifying possible options and determining the most appropriate actions to treat the risk according to the evaluation. The options can include one or a combination of the following:

Avoiding the risk, by deciding not to continue with the activity that gives rise to the risk;

Removing the risk source;

Changing the likelihood of the risk occurring;

Changing the consequence if the risk occurs;

Changing the consequence after the risk occurs;

Transferring or sharing the risk with other parties.

Assessing and selecting treatment options involves the analysis of each option’s cost, effort, effectiveness, legal and regulatory requirements, and impact on the community, the environment and Council’s operations. The resulting treatment plan needs to be practical and achievable such that the necessary resources and timeframes can be realistically met.

Each risk treatment will be assigned an owner who will be responsible for designing, implementing and reporting the status of the treatment plan.

The selected treatment option for each risk should be recorded in the risk register. Where appropriate, detailed information about the plan including the list of actions and tasks, assigned


2019.docx 9

responsibilities and ownership, schedules, timeframes, measurements, etc., may be registered in a detailed treatment plan.

9.6. Monitoring and review

Kaikoura District Council operates in a changing environment, therefore the risks that the Council faces require periodic review. Regular monitoring and review of risk assessment and treatment plans against key criteria is necessary to ensure that they remain current and relevant. Responsibilities for monitoring and reviewing are assigned according to the type of risk and the related activity. Activity, Asset and Project Managers are responsible for periodically monitoring and reviewing risks and treatment plans for their areas while the Executive is responsible for Corporate Risks.

The reviewing and monitoring process involves:

Detecting changes in the context, including changes to risk criteria, that can give rise to new risks, change existing risks or require revision of treatment and priorities.

Identifying emerging risks.

Detecting changes in risk analysis rating and hierarchy.

Obtaining further information to improve risk assessment.

Reviewing decisions made and their rationale. Ensuring treatment plans are effective and efficient in design and operation.

9.7. Communication and consultation

Communication and consultation are essential during each step of the risk management process.

Communication at all stages is important to keep all relevant stakeholders and staff informed about the risks the Council faces and how they are being managed. The status of the management of Risks will be communicated on a regular basis through reports to the Leadership Team and the Finance, Audit and Risk Committee. The reports will highlight newly identified risks, changes to risk assessment and treatment, decisions made and issues that require special attention. In the same way, Risks will be communicated to the Management of the corresponding areas.

The risk management process should be carried out with the consultation of internal and external stakeholders, advice of experts and ideas, suggestion and co-operation of staff in order to appropriately establish the context; ensure that risks are adequately identified; bring different areas of expertise together when analysing risks; ensure all views are considered in evaluating risks; and secure support for a treatment plan.


2019.docx 10

Appendix B: Risk Assessment Process

Likelihood x Impact = Inherent Risk Inherent Risk – Controls Effectiveness = Residual Risk

10.1. Likelihood

Frequency Score

Rare May only occur in exceptional circumstances 1

Unlikely Could occur – only very occasionally 2

Possible Might occur from time to time 3

Likely Will probably occur often 4

Almost certain Is expected to occur in almost all circumstances 5

10.2. Impact

No Impact

Insignificant Minor Moderate Major Catastrophic

Score 0 1 2 3 4 5

Health, Safety and Wellbeing

No Impact Low possibility of minor injury/ illness/ harm

Minor injury/ illness/ harm to single person or confined to a localised area

Moderate injury/ illness/ harm affecting some people in a localised area

Some loss of life/ serious injury/ illness/ harm affecting multiple people and/or areas

Widespread loss of life/serious/ injuries/illness/harm affecting majority of the district

Operational (infrastructure/business processes staff)

No Impact One-off /insignificant disruption/service outage

Temporary disruption/service outage with localised impact

Medium term disruption/service outage with localised impact

Temporary disruption/service outage with widespread impact

Disruption/service outage with district wide (or larger)

Political (elected members/government and funders)

No Impact Short-lived negative feedback from individuals or small group

Sections of local political decision makers lose confidence

Widespread local loss in political confidence

National-level loss of political confidence

Insurmountable loss of political confidence

Reputational/image (community visitors and ratepayers)

No Impact Short lived negative feedback from individuals or small local group(s)

Sections of the local community lose confidence due to negative coverage or feedback

Widespread sections of the local community lose confidence due to negative coverage or feedback

Negative coverage or feedback affects Council reputation at a national level

Negative coverage or feedback affects Council reputation at an international level

Financial No Impact Loss to Council or damage to local economy of less than $50,000

Loss to Council or damage to local economy of $50-000, $100,000

Loss to Council or damage to local economy of $100,000 - $250,000.

Loss to Council or damage to local economy of $250,000-$1 million.

$1 million or more of loss to Council or in damage on local economy.

Environmental No Impact Minimal pollution or other environmental damage. Localised. No effect

Small scale or other environmental damage. Short term effect.

Pollution or other environmental damage. Localised. Medium term effect

Significant and widespread pollution or other environmental damage. Long term effect

Irreversible and widespread pollution or other environmental damage. Long term effect.


2019.docx 11

10.3. Control Effectiveness

The Impacts and likelihood are re-evaluated based on the mitigation and control measures put in place.

If the risk is still Medium or High even with mitigation and control measures put in place, then further actions are required to bring the risk to as low as possible.

When the mitigation and control measure actions have been implemented the risk can then be re-evaluated to confirm the risk is low as possible.

10.4. Risk Matrix

Insignificant Minor Moderate Major Catastrophic

Rare 1 2 3 4 5

Unlikely 2 4 6 8 10

Possible 3 6 9 12 15

Likely 4 8 12 16 20

Almost certain

5 10 15 20 25

10.5. Risk Level

LOW

MEDIUM

HIGH

Documents

RISK MANAGEMENT POLICY - Kaikoura · risk. (AS/NZS ISO 31000:2009) Risk management framework: set of components that provide the foundations and arrangements for designing, implementing,